[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest
Nils Dagsson Moskopp
nils at dieweltistgarnichtso.net
Wed Mar 20 16:41:14 PDT 2013
Anne van Kesteren <annevk at annevk.nl> schrieb am Wed, 20 Mar 2013
17:31:14 -0400:
> If you do an XMLHttpRequest from a document hosted at
> /superlonghashkeythatactsasauthenticationtoken you probably do not
> want to expose the Referer header.
A GET request should be idempotent, so what would be the problem? If
subsequent access changes the state of the resource, that seems broken.
> Now 1) this document should be
> hosted over https so this is less likely to be a concern given actual
> implementations of Referer over https and b) for same-origin requests
> this matters less (if at all), it still seems better if anonymous is
> anonymous.
I'd suggest using HMACs instead of hashes for signed action URLs. Right?
--
Nils Dagsson Moskopp // erlehmann
<http://dieweltistgarnichtso.net>
More information about the whatwg
mailing list